Understanding Disclosure Controls and Procedures:

Transcription

1 Understanding Disclosure Controls and Procedures: Helping CEOs and CFOs Respond to the Need for Better Disclosure A Risk Management and Governance Board Discussion Brief

2 Understanding Disclosure Controls and Procedures: Helping CEOs and CFOs Respond to the Need for Better Disclosure A Risk Management and Governance Board Discussion Brief Copyright 2005 The Canadian Institute of Chartered Accountants 277 Wellington Street West Toronto, Canada M5V 3H2

3 2 Understanding Disclosure Controls and Procedures Preface Recent changes to Canadian securities laws have increased the importance of maintaining an effective system of disclosure controls and procedures (DCP). Canadian securities laws have for a long time required issuers to provide all existing or potential investors with equal access to information that may affect their investment decisions. Beginning with fiscal years ending on or after March 31, 2005, issuers in Canada must file certificates of their CEOs and CFOs attesting to their disclosure controls and procedures. These certification requirements are similar to those that are in effect in the United States under the Sarbanes-Oxley Act of Effective December 31, 2005, investors in the secondary market will have a statutory right in Ontario to sue public companies, their directors and certain officers and other persons for materially inaccurate, incomplete, or misleading disclosure and failure to make timely disclosure (Bill 198). The existence and nature of a system of disclosure controls and procedures is a circumstance which a court is required to consider in determining whether a defendant to a proceeding initiated under the new legislation has made out a due diligence defence. The Risk Management and Governance Board (RMGB) of the Canadian Institute of Chartered Accountants (CICA) has developed this briefing to help senior management of issuers meet the regulatory requirements for DCP and respond to the emerging risk of civil litigation related to disclosure. It will also help Boards of Directors to understand their oversight responsibility for DCP and the implications for and risks of civil liability associated with that role. Presently, no best or recommended practices exist, other than those suggested by the securities regulators. This document describes the DCP issues facing issuers and the experiences and practices of several Canadian companies listed on both the Canadian and US stock exchanges. The material in the document is based on a study that included a comprehensive literature review, meetings with a selection of inter-listed Canadian public companies ( participating companies 1 ), discussions with members of the investment community and other interested parties, and intensive committee review. For a copy of the questionnaire used during interviews with participating companies, refer to Appendix A. The design and evaluation of DCP are in an evolutionary state as issuers and regulators develop 1 See Appendix A for a copy of the questionnaire used during the meetings to collect feedback.

4 3 Understanding Disclosure Controls and Procedures experience with the requirements. The principles described in this document should remain relatively unchanged but techniques are likely to be refined and improved over time. The RMGB encourages readers to submit comments to The Board acknowledges and thanks the companies that participated in the study, the members of the DCP Task Force, Gordon Beal and Peter W. Roberts who wrote this document under the guidance of the Task Force, the editor, Hugh Lindsay, and the CICA staff who provided support to the project. Thomas Peddie, FCA Chair, Risk Management and Governance Board Authors Peter W. Roberts, FCA, CPA (Illinois) Gordon Beal, CA Editor Hugh Lindsay, FCA, CIP Project direction by Gigi Dawe, Principal, Risk Management and Governance Risk Management and Governance Board Thomas Peddie, FCA, Chair Dan Cornacchia, FCA Brian Ferguson, CA John Fraser, CA Lee Giles, CA Michael Harris, CA Peter W. Roberts, FCA, CPA (Illinois) Josee Santoni, CA DCP Task Force Brenda Eprile, FCA Brian Ferguson, CA Michael Harris, CA Andrew J. MacDougall, LLB Thomas Peddie, FCA CICA Staff Gordon Beal, CA Principal, Risk Management and Governance Gigi Dawe Principal, Risk Management and Governance William Swirsky, FCA Vice President, Knowledge Development

5 4 Understanding Disclosure Controls and Procedures How to use this document In 2004, the Canadian Performance Reporting Board of CICA published a discussion brief, CEO and CFO Certification: Improving Transparency and Accountability to stimulate discussion and commence a process to develop and communicate a better understanding of the CEO and CFO certifications. The discussion brief is a valuable guide to certification that includes an introduction to DCP. Understanding Disclosure Controls and Procedures: Helping CEOs and CFOs Respond to the Need for Better Disclosure expands on the growing body of knowledge and experience of DCP. The two documents complement each other, and reading both together can benefit one s understanding of the application of DCP. This document focuses on raising awareness of what corporate executives and directors need to know about Disclosure Controls and Procedures. It is not a how to manual but rather a summary of the experiences of participating companies that were selected by CICA for the study on which the document is based. The document has four distinct purposes: Raise awareness of DCP for CEOs and CFOs Assist CEO and CFO to design and evaluate a suitable DCP for their company Help those responsible to implement DCP Raise Board of Directors awareness of their oversight role in DCP. Companies listed on stock exchanges in the United States will have gained experience with DCP by reporting to US regulators but may gain additional insight from this document. Companies which are listed only in Canada and have little or no formal experience with the recent DCP requirements should find the document helpful in getting started. You may find that you already have DCP that, with some fine tuning, will enable you to meet Canadian regulatory requirements. This document will provide an opportunity to compare what your company is currently doing with the participating companies and to consider if any of their practices might be applicable in your situation. The implementation and application of DCP will vary between different organizations, depending on their size, nature and complexity of business, and available resources. One size does not fit all, and a cost-benefit analysis should be undertaken to establish the most appropriate DCP for each issuer. Figure 1 illustrates the structure of this document and represents an approach for the design and evaluation of DCP 2. Figure 1 An Approach for the Design and Evaluation of DCP CLEAR SENSE OF PURPOSE Continuous Disclosure Obligations CEO/CFO Certification Improving Disclosure Risk Mitigation Civil Liability COMMITMENT TO ENHANCED DISCLOSURE Tone from the Top Control Environment Board/CEO/CFO Culture of Transparency Consistent Policies EVALUATING DCP Documentation Existence of DCP Effectiveness of DCP Monitor and Learn CAPABILITY ASSESSMENT Where Are We Now? Common Current Practices Controls and Procedures Coordination Training 2 Based on the Canadian Institute of Chartered Accountants Guidance on Control.

6 5 Understanding Disclosure Controls and Procedures Table of Contents Introduction The Relationship Between DCP and ICFR Disclosure Controls and Procedures Internal Control over Financial Reporting DCP: A Clear Sense of Purpose Compliance with continuous disclosure obligations CEO and CFO certification Improving disclosure internally and externally Mitigating risks related to disclosure Avoiding or defending against civil liability A Commitment to Enhanced Disclosure Control environment Tone from the top leadership Culture of transparency Policies integral to DCP Disclosure policy Code of business conduct and ethics Whistleblower policy Communication and training Capability Assessment: Where Are We Now? Where do we get the information? How do we report the information internally? How do we use the information? How do we determine what information is material? Common Current Practices Inventory of disclosure obligations: the disclosure universe Identification of individual information conduits Disclosure committee Disclosure coordination Issues identification, escalation, and review process Documentation of DCP Sub-certification or manager attestation process Certification checklists or questionnaires Quarterly disclosure and certification meetings Central database of disclosure information Evaluating DCP: Monitoring and Learning Evaluation of DCP Conclusion Where to find more information Appendices Appendix A Appendix B Appendix C Appendix D

7 6 Understanding Disclosure Controls and Procedures Introduction Trust depends on transparency. 3 Capital markets are built on trust. Companies that issue shares and other securities must maintain the trust of investors by providing the comprehensive, accurate and timely information they need to make informed investment decisions. That is why transparency in disclosure is a key aim of regulatory requirements. A long-standing example of transparent disclosure can be found in corporate financial statements prepared from formal financial systems with internal controls over financial reporting (ICFR) that provide reasonable assurance of their reliability. Regulators now require the application of similar diligence to the disclosure of all material aspects of a company s condition, including non-financial information on major business activities and product lines, operating facilities, staffing, corporate structure, and so on. This information is generally available from non-financial systems that are used to manage operations and provide internal information for strategic and operational planning and monitoring. Legislation and regulations in Canada and the United States require issuers to have Disclosure Controls and Procedures for the preparation and dissemination of all corporate information to the investment community. DCP are the internal systems, controls and procedures that have been established by an organization to provide reasonable assurance that information used internally and disclosed externally is reliable and 3 Tapscott and Ticoll, The Naked Corporation; in which transparency is defined as the accessibility of information to stakeholders of institutions, regarding matters that affect their interests.

8 7 Understanding Disclosure Controls and Procedures timely. The definitions in Canada and the United States include two major components: Information required to be disclosed is recorded, processed, summarized and reported within the time periods specified. Information to be disclosed is accumulated and communicated to the issuer s management to allow timely decisions regarding required disclosure. DCP must cover all continuous disclosure practices, including both financial and non-financial information disclosed in the quarterly and annual financial statements, the quarterly and annual management discussion and analysis (MD&A), the annual information form, material change reports, news and media releases. Although the focus of securities regulation is principally on disclosure required under securities legislation, participating companies have indicated that DCP should be broader and should address all public disclosures that could in one way or another impact the well-being of the corporation. For example, an issuer may be required to compensate investors that were harmed by misleading disclosure contained in other written communications released by, or on behalf of, the issuer or in public oral statements made by the issuer. The DCP requirements would also, therefore, appear to apply to information presented in websites, conference calls with analysts and investors, industry road shows, interviews, one-on-one sessions with analysts, etc. Although not specifically listed in DCP requirements under securities laws, these disclosure channels may include information that could affect investment decisions. I believe that disclosure controls and procedures must cover all information that may be communicated by a corporation in one form or another which could impact a shareholder s (or potential shareholder s) decision on investment (whether to buy or sell) in the company. Senior executive, participating company Under securities regulations in Canada and the United States the CEO and CFO must certify that, among other things, they are responsible for establishing and maintaining their company s disclosure controls and procedures. The Board, which has an oversight responsibility for external communications, must satisfy itself that the company has an effective system of DCP and complies with all DCP requirements including Board approval of certain disclosure documents. These requirements are reinforced by amendments to provincial securities legislation (Bill 198 in Ontario) that make Boards, CEOs and CFOs liable to be included in any potential lawsuits that relate to misleading or untimely disclosure. A major concern identified by issuers is the cost of compliance with DCP regulations. The experience of participating companies is that it can be expensive, but less so than compliance with the Sarbanes-Oxley Act of 2002 (Sec. 404). The companies found it difficult to quantify the benefits but agreed they expect DCP will contribute positively to operational efficiency and the company s credibility and reputation and thus to the peace of mind of directors and executives. On balance they concluded that DCP are worth the cost.

9 8 Understanding Disclosure Controls and Procedures The challenge for an issuer s management and Board is to develop DCP that include: Formal systems that are understood and followed consistently, and that support a culture of transparency and enhanced disclosure An awareness and understanding of all continuous disclosure requirements A climate that supports the courage required to identify all material and potentially material information, and communicate it to the disclosure process The capacity to manage the flow of this information in a timely and efficient way Processes that support Board approval of the annual MD&A that include the results of the evaluation of DCP. This document discusses and describes current issues and practices for the design and evaluation of effective DCP in six sections: The Relationship Between DCP and ICFR DCP: A Clear Sense of Purpose A Commitment to Enhanced Disclosure Capability Assessment: Where Are We Now? Common Current Practices Evaluating DCP: Monitoring and Learning

10 9 Understanding Disclosure Controls and Procedures The Relationship Between DCP and ICFR Regulators have defined their quality control requirements for corporate disclosures under two categories: Disclosure Controls and Procedures (DCP) and Internal Control over Financial Reporting (ICFR). The definitions are as follows: Disclosure Controls and Procedures DCP are controls and other procedures of an issuer that are designed to provide reasonable assurance that information required to be disclosed by the issuer in its annual filings, interim filings or other reports filed or submitted by it under provincial and territorial securities legislation is recorded, processed, summarized and reported within the time periods specified in the provincial and territorial securities legislation and include without limitation, controls and procedures designed to ensure that information required to be disclosed by an issuer in its annual filings, interim filings or other reports filed or submitted under provincial and territorial securities legislation is accumulated and communicated to the issuer s management, including its chief executive officers and chief financial officers (or persons who perform similar functions to a chief executive officer or a chief financial officer), as appropriate to allow timely decisions regarding required disclosure. 4 Internal Control over Financial Reporting ICFR is a process designed by, or under the supervision of, the issuer s chief executive officers and chief financial officers, or persons performing similar functions, and effected by the issuer s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of 4 Multilateral Instrument Certification of Disclosure in Issuer s Annual and Interim Filings.

11 10 Understanding Disclosure Controls and Procedures financial statements for external purposes in accordance with the issuer s GAAP and includes those policies and procedures that: (a) pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the issuer; (b) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with the issuer s GAAP, and that receipts and expenditures of the issuer are being made only in accordance with authorizations of management and directors of the issuer, and (c) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the issuer s assets that could have a material effect on the annual financial statements or interim financial statements. 5 Generally, ICFR is considered to cover all reporting of financial information in disclosure documents including the annual information forms, the annual and interim financial statements, and the annual and interim management discussion and analysis (MD&A). The financial information that flows from the ICFR will also often be used for other disclosures such as periodic reports, conference calls and press releases. This financial information will be subject to a variety of DCP prior to being released as an external disclosure. For an example of how ICFR and DCP might apply in a selected situation, see Appendix B. While there is considerable information in the marketplace concerning ICFR, little guidance exists on the topic of DCP, and issuers are facing the challenge of dealing with both issues. ICFR does not cover all information that must be disclosed. ICFR are, however, based on understood and established principles that apply to financial reporting. These include the completeness, accuracy and authorization of transaction recording; the application of Generally Accepted Accounting Principles (GAAP); and the prevention and detection of fraud. ICFR is also a key consideration for auditors under Generally Accepted Auditing Standards. Rather than risk compromising ICFR by adapting and expanding it to cover all aspects of disclosure, the regulators have left ICFR essentially unchanged, and have raised the profile of DCP to fill in the gaps. 5 Multilateral Instrument Certification of Disclosure in Issuer s Annual and Interim Filings and proposed Multilateral Instrument Reporting on Internal Control over Financial Reporting.

12 11 Understanding Disclosure Controls and Procedures With respect to the role of DCP and ICFR Canadian securities regulators suggest that: While there is a substantial overlap between the definition of disclosure controls and procedures and internal control over financial reporting, there are both some elements of disclosure controls and procedures that are not subsumed within the definition of internal control over financial reporting and some elements of internal control over financial reporting that are not subsumed within the definition of disclosure controls and procedures. For example, disclosure controls and procedures may include those components of internal control over financial reporting that provide reasonable assurances that transactions are recorded as necessary to permit the preparation of financial statements in accordance with the issuer s GAAP. However, some issuers may design their disclosure controls and procedures so that certain components of internal control over financial reporting pertaining to the accurate recording of transactions and disposition of assets or to the safeguarding of assets are not included. 6 Participating companies in the CICA research indicated that an effective system of DCP would require an effective system of ICFR. DCP and ICFR were described as integrated, with both forming an integral part of the organization s control structure. A common message conveyed in the study was that it is difficult to isolate one from the other. In fact, the Securities and Exchange Commission (SEC) in the United States has observed that it would be unlikely that an issuer with a material weakness in internal control over financial reporting would be able to conclude that it had effective disclosure controls and procedures. Individuals interviewed by the CICA indicated that given the interconnectedness of internal control over financial reporting and disclosure controls and procedures, Canadian CEOs and CFOs will have to evaluate internal control over financial reporting as part of their annual requirement to certify that they have evaluated the company s disclosure controls and procedures. 6 Companion Policy CP To Multilateral Instrument Certification of Disclosure in Issuer s Annual and Interim Filings.

13 12 Understanding Disclosure Controls and Procedures DCP: A Clear Sense of Purpose The design and evaluation of effective DCP start with a clear understanding of why DCP are necessary. Participating organizations connected the design, implementation and evaluation of DCP to a clear set of objectives that typically included: Compliance with continuous disclosure obligations CEO and CFO certification Improving disclosure internally and externally Mitigating risks related to disclosure Avoiding or defending against civil liability. Participating companies stated that one of the challenges they faced in reviewing their DCP was how to determine what is enough. The answer in most cases was tied to their understanding of why DCP were being implemented in the first place. Compliance with continuous disclosure obligations It is a fundamental principle of securities regulation that everyone investing in securities should have equal access to timely, complete and accurate information that may affect their investment decisions. In establishing DCP, issuers need to have a clear understanding of their continuous disclosure obligations. To assist issuers, the regulators and legislators have in recent years sought to improve disclosure practices by: Defining the continuous disclosure obligations of issuers (NI ) Providing new guidance on timely disclosure requirements and prohibitions against selective disclosure (NP )

14 13 Understanding Disclosure Controls and Procedures Providing guidance on best disclosure practices (NP ) Requiring certification by CEOs and CFOs (MI ) Introducing statutory rights of action for investors to seek compensation for misleading or untimely continuous disclosure (Civil Liability). CEO and CFO certification 7 As DCP cover a broad range of disclosures, the scope of the certification regarding DCP is also broad, extending beyond financial statements, Management s Discussion and Analysis and Annual Information Forms, to include all filings required to be submitted to securities regulators. Both the CEOs and CFOs of issuers are each required to make certifications regarding the information being disclosed within the annual and interim filings, including that, based on their knowledge: There is no untrue statement of a material fact They have not omitted to state a material fact required to be stated They have not omitted to state a material fact that is necessary to make a statement not misleading The financial statements together with other financial information in the filings fairly present in all material respects the financial condition, results of operations and cash flows of the corporation DCP not only support the reports which the CEO and CFO are required to certify, but are also the subject of certain other statements to be certified by the CEO and CFO. Both in Canada and in the United States the CEO and CFO are required to certify the existence and effective operation of DCP. Specifically, Multilateral Instrument Certification of Disclosure in Issuer s Annual and Interim Filings and Section 302 of the Sarbanes-Oxley Act of 2002 require certification by the CEO and CFO (or individuals performing equivalent functions) that: They have designed disclosure controls and procedures (or caused them to be designed under their supervision) They have evaluated the effectiveness of such disclosure controls and procedures. In Canada this evaluation is to be done annually with disclosure of their conclusions regarding their evaluation to be included in their company s annual MD&A. In the United States this must be completed quarterly. The certification requirements are extensive and place responsibility and accountability squarely onto the shoulders of the CEO and CFO of each corporation. Effective DCP will assist the CEO and CFO in meeting their obligations to certify their public disclosure documents by providing the necessary level of comfort they need to make the certifications. 7 For a copy of the certification refer to Appendix C Annual CEO and CFO Certificate, and Appendix D Interim CEO and CFO Certificate.

15 14 Understanding Disclosure Controls and Procedures Improving disclosure internally and externally Although compliance with regulations is a principal purpose of DCP, an effective system can result in other important benefits. Improved external disclosure often begins with improved internal disclosure or internal systems of communication and reporting. External communications are often created from the processes used internally to manage the company s business. DCP are the systems that manage this internal communication and flow of reliable information. Participating companies stated that effective DCP should enhance the identification, collection, analysis and timely reporting of information to appropriate levels of management to support decisions on disclosure. Effectively designed DCP can lead to a higher quality of external disclosure that will provide the investment community with a better understanding of the issuer and its business. In addition to improved external disclosure decisions, the effective and timely flow of information from across an organization contributes to better strategic and operational decision-making, which can lead to improved operating results. Participating companies stated that DCP should work to provide CEOs, CFOs, and other senior leadership with all material information that pertains to the organization. In designing their DCP, a number of participating companies assessed all existing and proposed controls and procedures in the context of directly improving the internal flow of information. These participants indicated that by designing and utilizing a focused and efficient information gathering and assessment process they have realized benefits in terms of improvements in operating efficiency by reducing duplication and eliminating unnecessary activities. They expect that this will ultimately be reflected through improved financial results. Mitigating risks related to disclosure Most participating companies have taken a risk-based approach to designing and establishing an effective system of DCP by assessing the level of risk they associate with various types and channels of disclosure. The level of diligence of the DCP process designed for a particular disclosure is based on the risk associated with that disclosure. In determining what is enough, corporate leadership will assess its risk tolerance with respect to types and channels of disclosure and their impact on the overall disclosure picture. There is always the risk that disclosure may be untimely, incomplete or inaccurate, which could adversely affect the corporation s reputation and, in some cases, potentially subject the corporation (and others) to fines, penalties and damage claims. In the case of disclosure consisting of or derived from the financial statements and the MD&A, the existence of other relevant controls contributes to the mitigation of risk related It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you ll do things differently. Warren Buffett

16 15 Understanding Disclosure Controls and Procedures to a disclosure. For example, in the case of financial information that is included in financial statements and other disclosures, the existence of ICFR will support DCP. A well-designed system of DCP incorporates these controls and mitigates the overall risk. It is not uncommon for public issuers to assign a greater risk factor with respect to potential errors in the financial statements in comparison to potential errors in other disclosure documents. For example, some companies perceive the Environmental, Health and Safety Report as a relatively low-risk disclosure document and therefore subject it to limited DCP. Other companies review such reports with more rigour, on the understanding that they can have a significant impact on the reputation of the company. The decision on how much DCP is enough depends on the nature of the issuer s industry, the risk tolerance of the leaders of each company and their assessment of the importance of each disclosure to investors and other users. For most participating companies DCP are being designed to improve the quality of disclosure in all external reports, to mitigate the risk of misleading or potentially damaging information. Selective disclosure that is, the failure to actively and effectively disseminate material financial or non-financial information in a broad manner affects the channels of disclosure used by a corporation. It can result in material information not being generally disclosed, possibly leading to negative market reaction and legal and regulatory action. National Policy Disclosure Standards states that selective disclosure most often arises in one-on-one discussions such as analyst meetings, and in industry conferences and other types of private meetings, but it can occur elsewhere. 8 A corporation should assess the risk of this occurring at any time including at the annual general meeting or other corporate events, during one-on-one meetings with investment analysts, or through discussions with other stakeholders. Effective DCP should be designed to help the corporation prevent the occurrence of selective disclosure, and should help to mitigate the risk of the inadvertent disclosure of any information of a material nature that has not been broadly disseminated. 9 One of the most commonly recognized examples of selective disclosure in Canada in recent years is in a case where employees of the company disclosed information about third quarter earnings per share results, and a revised forecast for the next quarter, to 13 analysts who covered the company but not the marketplace generally. A ruling by the Ontario Securities Commission was clear that such action constitutes selective disclosure and is not acceptable. Until there is greater guidance in this area, the decision on how much DCP is enough will depend on the risk tolerance of the CEO and CFO of each issuer, and their assessment of the risk related to all types and channels of disclosure. (See 20 Questions Directors Should Ask about Risk) 8 National Policy Disclosure Standards; Section 5.7 Selective Disclosure Violations Can Occur in a Variety of Settings. 9 The SEC Rule on Selective Disclosure and Insider Trading (Regulation FD Fair Disclosure) provides a comprehensive explanation of the issue.

17 16 Understanding Disclosure Controls and Procedures Avoiding or defending against civil liability The existence of potential civil liability for secondary market disclosure adds a new dimension to all of the above issues. A risk now arises that investors will seek redress in the event of a failure to disclose material financial or non-financial information, or the disclosure of such information in a misleading way, or the failure to disclose such information on a timely basis. All leaders of public corporations continuously face the challenge of determining what needs to be disclosed and when it should or should not be disclosed. Corporate leaders face decisions related to providing the market with information that could materially affect results. At times it can be a challenge to balance the risks of disclosing too much information or not enough. The CEO, CFO and other senior business leaders face a broad range of possible answers to an ever expanding range of disclosure questions; and they are increasingly being pressed to make judgments that may subsequently face close scrutiny and criticism by a multitude of parties. In assessing the risk of civil liability for disclosure that is alleged to be misleading or untimely, corporate leaders will reflect on many questions, including What do we know, when did we learn of it, and what should we disclose? The CEO and CFO need to apply judgment to a wide variety of uncertainties. Effective DCP provide the information that will be used in applying this judgment. Effective DCP can also enhance an issuer s defense against claims that may arise that challenge the accuracy, completeness and timeliness of its disclosure. DCP will not only contribute to the corporation undertaking all reasonable efforts in the area of disclosure but can also serve as evidence that the corporation is doing so.

18 17 Understanding Disclosure Controls and Procedures A Commitment to Enhanced Disclosure Companies can demonstrate their commitment to transparency and their DCP by establishing policies and procedures within a control environment that provides support, communication and training. This commitment is needed not only to comply with the DCP requirements, but also to realize improved operational performance from enhanced DCP. It s important to encourage people with the wits and guts to speak up. A senior corporate executive Compliance with DCP applies to all issuers, regardless of their size. Larger issuers generally have adequate resources, whereas smaller issuers often do not. Nevertheless, the smaller issuers are still held to the same standards. These issuers will have to identify their disclosure responsibilities and establish appropriate processes to ensure they meet them. Control environment In the context of DCP, the control environment supports and demonstrates commitment to transparency, integrity, and effective disclosure through the following elements: 10 Shared ethical values that are established, communicated and practiced throughout the organization, focused on the integrity, ethical values, transparency and competence of its people A tone from the top that demonstrates and reinforces management s philosophy and operating style A culture of integrity and transparency throughout the organization created, nurtured, and continuously reinforced by the CEO, CFO, other senior executives, and the Board 10 Based on elements of the COSO Internal Control Integrated Framework and the Canadian Institute of Chartered Accountants Guidance on Control.

19 18 Understanding Disclosure Controls and Procedures Accountability mechanisms with clear roles, responsibilities, and accountabilities that support the way management assigns authority and responsibility Policies and procedures that communicate priorities and confirm support and commitment for the way management organizes and develops its people, which are consistent with the organization s values, with a focus on the achievement of its objectives The Board of Directors confirms its commitment to disclosure through the attention and direction it provides. An effective control environment should result in all of the above working together in a coordinated manner. The components must consistently focus on fostering an atmosphere of mutual trust that supports the flow of information between people, across the organization, right up to its leadership. Everyone within the organization must be provided with, or enabled to acquire, the necessary knowledge, skills, and tools that support the disclosure process. All participating companies commented on the importance of the shared values of mutual trust, integrity, transparency and open communication in demonstrating a commitment to effective DCP. These shared values must be established, communicated and practiced throughout the organization. They influence the behaviour of all individuals across the organization, beyond the specific controls and procedures that may or may not be in place. A key to the behaviour of the organization is the tone from the top, represented by the values and preferences of senior management and the Board of Directors. Commitment needs to be demonstrated by leadership of the corporation through tone, in addition to a culture of transparency that permeates the organization. Tone from the top leadership Participating companies consistently identified tone from the top as being integral to establishing effective DCP. It is the role of the CEO, CFO, and the Board to set this tone. A simple message that promotes open and honest internal disclosure across the entire organization, supported by mutual trust, is a necessary precursor to effective external disclosure. Tone from the top, however, is far more than just a clearly communicated message. The values articulated within the tone must be modeled in and consistent with the behaviours and decisions of leadership in order to demonstrate and reinforce leadership commitment. It is the actions of the corporation, under the direction of its leadership, which reinforce the importance of openness, honesty, and integrity. Senior executive, participating company Another message from participating companies is that leaders must clearly demonstrate that they value and desire to hear both good and bad news. Participants stated that leadership commitment to receiving both positive and negative information plays a significant role in the

20 19 Understanding Disclosure Controls and Procedures organization s disclosure process. All information must flow internally in order to optimize decisions regarding external disclosure. Leaders of participating companies who have had the most success with establishing values that support and promote DCP within their organizations: Identified and committed human resources to deal with this area Hired additional personnel as necessary Committed training and development resources Committed an adequate amount of their own time and effort to the process Committed other resources such as Information Technology. An example of committed resources is the creation of internal teams to work with process owners in the design and integration of DCP. For smaller issuers this may be a small team or a single individual, but participating companies stated that this contributed to setting the tone for commitment to DCP. The CEO, CFO, and the Board, were identified as the key players in setting tone from the top. However, to be most effective, it is crucial that the tone also reach deeper into senior management ranks. The tone must flow consistently across the entire senior management team. Culture of transparency The goal of demonstrating tone from the top is that it ultimately becomes the organizational tone. This occurs when the leadership tone has influenced the behaviours of all members of the organization. This is a process of cultural change that can only come with time. For a number of participating companies a culture of transparency was a critical focus. Either as a result of a corporate merger that had occurred, or in direct response to the need for increased transparency, they focused on embedding disclosure into their organizational culture. The requirement to comply with the regulations was viewed as an opportunity to convey a sense of urgency and to build momentum for change across leadership and staff. Participating companies indicated that responsibility for the corporation s disclosure and the related controls and procedures need to be shared by all people across the organization and made integral to their respective roles and responsibilities.

21 20 Understanding Disclosure Controls and Procedures Policies integral to DCP Participating companies use policies to clarify, communicate, and regularly confirm control and organizational objectives and a commitment to a culture of transparency. Policies provide a vehicle for articulating and communicating a consistent message across the entire organization that clarifies roles and responsibilities, scope, and coverage, in terms of how and where the policy should be applied. The most common policies that support an organization s DCP are the Disclosure Policy, Code of Conduct, and the Whistleblower Policy. Although the names of the policies varied somewhat from company to company, the essence remained relatively constant. They set the objective of supporting an organizational tone and culture focused on integrity, ethical behaviour, transparency and disclosure. To demonstrate their commitment to good disclosure, a few participating companies posted their policies on their corporate website. Disclosure policy The disclosure policy is used by participating companies to communicate the overall corporate disclosure objective and to articulate the purpose of disclosure and DCP. It is an important piece of documentation of corporate-wide DCP that: Demonstrates and reinforces organizational commitment Supports the capability of the organization and its individuals Clarifies the purpose and commitment, priorities, scope of the control activities, and roles and responsibilities of individuals Provides guidance on decisions related to disclosure and materiality Provides guidance for handling a variety of disclosure related issues Gives direction and provides the coordination of effort across the organization. A significant benefit of a disclosure policy is to raise awareness of the risk of selective disclosures that can lead to charges of insider trading and tipping. A clearly defined disclosure policy, and diligence in ensuring its compliance, can mitigate the company s exposure to the risk that an individual could selectively divulge material information about the company, such as previously undisclosed new product initiatives to a journalist or research analyst at a sales conference. Although the existence of a disclosure policy is not a requirement under Canadian securities laws, all participating companies had one, and most have had a disclosure policy for a number of years. National Policy Disclosure Standards, released July 12, 2002, recommends the establishment of a Corporate Disclosure Policy as a Best Disclosure Practice. Within this National Policy a number of Best Disclosure Practices are identified and are described as practical measures that companies can adopt to help ensure good disclosure practices. 11

22 21 Understanding Disclosure Controls and Procedures Examples of disclosure policies from the participating companies generally addressed the majority of these recommended disclosure practices. All participating companies stated that they review their policy regularly, and in most cases annually, and revise it as necessary to address the new reality of the scope and timeliness of disclosures. The disclosure policy forms the foundation of the DCP for every company that participated in the study. Although a formal disclosure policy is not required, smaller issuers should ensure that all risks associated with disclosure are covered in one way or another, as the smaller size of the issuer is not a valid defense for non-compliance. Whether the policy was being developed or one already existed and was merely being reviewed and updated, companies used this process of development or revision as an opportunity. It was used by some participants as an orientation process for all employees and, in particular, employees involved in the disclosure process, to communicate the increased need for awareness and sensitivity with respect to the disclosure of material information both internally and externally. Scope of disclosure policy A disclosure policy incorporates a broad range of information. It defines who is subject to the policy, which usually includes all employees, management and, although not in all cases, the Board. The policy gives the people of the organization responsibility for disclosure. It also covers the scope of DCP, detailing key elements, regulatory filings, other types of disclosure, and a recommended disclosure approach. It is the ideal document to identify the disclosure universe of the corporation, building an understanding across the organization as to when, where, and how DCP are applicable. In this context, it can be used to confirm that the disclosure universe is much broader than the corporate regulatory reporting universe, something that for some employees may be a new concept. Roles and responsibilities The policy can make it very clear as to: Who in the organization is authorized to speak for it. Who is responsible for the various disclosure processes throughout the organization. It is not uncommon for investment analysts and media to approach various members of a corporation in search of information. With a policy that provides clarity in this area, individuals who are approached for information know whether or not they can speak, and if they can, that they need to be prepared, or if they cannot they need to refer to someone else. The policy can be as specific as indicating what each individual is authorized to disclose. 11 National Policy Disclosure Standards.

23 22 Understanding Disclosure Controls and Procedures The policy is useful in clarifying roles and responsibilities in the disclosure process for anyone involved in disclosure, such as: Individuals coordinating and overseeing the disclosure process The disclosure committee The CEO and CFO (who may or may not be members of the disclosure committee) The Board, Audit Committee or other Board Committees Other key employees and management, and other relevant internal committees. Materiality The policy commonly provides a definition of materiality to be used by the corporation and can often provide examples of material information or events that need to be addressed for disclosure purposes. Common elements within the policies reviewed included: A description of the decision process related to materiality Who is involved Documentation required Who holds the ultimate responsibility for the decision, which more often than not lies with the CEO and CFO. It is common that the disclosure committee will provide recommendations to the CEO and CFO on materiality decisions. Materiality is discussed in greater detail in the Capability Assessment section of this document under How do we determine what information is material? Other issues In addition to the documents that must be filed, companies provide considerable information on their activities and prospects. To the extent that such disclosure is presented to limited audiences, the company risks being accused of selective disclosure. To manage this, disclosure policies commonly address such issues as: The use of trading restrictions and black-out periods Identifying who is responsible for managing unusual events The process for handling news releases, conference calls and webcasts The process for providing a simultaneous disclosure of material presented in planned sessions A policy on responding to rumours The appropriate contact with the investment community including meeting and communicating with analysts, investors, and media and responsibility for reviewing analyst s reports Identifying who can dialogue with the investment community and participate in investor conferences Dealing with forward-looking information and managing expectations of the investment community

24 23 Understanding Disclosure Controls and Procedures Procedures for managing other disclosure channels such as electronic communications, corporate website, corporate and public presentations to parties other than the investment community The requirement to promptly make public any inadvertently disclosed information The approach for dealing with other oral or written public disclosures that may not be material but may require attention from certain individuals in the company prior to disclosure A policy on maintaining disclosure records including a multi-year file of all public information, and all continuous disclosure documents. The above material is a summary of what has been covered in disclosure policies reviewed in the study, but policies do not have to be limited to this. Also, if these issues are dealt with elsewhere, the disclosure policy may only need to reference this fact. The creation and existence of a disclosure policy is not enough. The policy must be broadly communicated and understood. Some companies involve many individuals from across the organization to develop, draft or revise the policy, and find this process integral to its implementation. As individuals provide input on the policy, they become familiar with its content and develop a greater understanding of it. It is critical that everyone is aware of the disclosure policy, understands it, and ultimately accepts it as the key guide to the corporate disclosure process. Posting the policy on the internal corporate website is a method used by some companies to enhance awareness but it is not considered to be enough by participating companies. Many of them offered a training process either in-person or on-line sessions, or a combination thereof to enable employees and other company members to access the policy, learn about its contents and its implications, and develop an understanding of their disclosure responsibilities. The disclosure policy is one critical element of the corporation s demonstration of commitment to disclosure. Participating companies stated that individuals must also be held accountable for compliance with the disclosure policy, and their signature, or some form of on-line indication of this, was a common element to confirm their commitment. The Canadian Investor Relations Institute has developed a model disclosure policy that many issuers have found useful in developing their own policy. A copy may be obtained by contacting the institute at www. ciri.org. The last update to the CIRI model was in 2003 and as a result it will be necessary to update and expand the model to reflect more recent changes to securities laws and disclosure practices.